Last week, the Third Circuit revived a multi-district privacy lawsuit against Google, finding that the trial court erred in dismissing the plaintiffs’ privacy claims under California state law. The case centers around the plaintiffs’ allegations that Google violated state and federal law by circumventing the Safari browser’s default “cookie blocker” settings to track users’ online activity while publicly professing to respect users’ Safari browser settings. While the Third Circuit affirmed the trial court’s dismissal of federal claims under the Wiretap Act, the Stored Communications Act (SCA), and the Computer Fraud and Abuse Act (CFAA), the court vacated the district court’s dismissal of the plaintiffs’ claims under California tort law and the California constitution’s right to privacy.
The Third Circuit first determined that the plaintiffs had standing under Article III to pursue their claims. The court held that the plaintiffs alleged “concrete, particularized, and actual” injuries sufficient to grant Article III standing based on the complaint’s allegations that the defendants “implanted tracking cookies on their personal computers.” Beyond noting that Google’s argument requiring “actual monetary loss” to bring a federal lawsuit reads Article III jurisprudence too narrowly, the court’s analysis of the standing issue was limited. To the extent the opinion suggested that Article III standing can arise solely from allegations that a statutorily-created legal right was violated, this proposition may soon be addressed by the Supreme Court in the pending Spokeo appeal.
Having resolved the standing issue, the court turned to the plaintiffs’ Wiretap Act claim, concluding that the allegations at issue did not describe a scenario where Google had intercepted communications between two other parties. Instead, the court determined that the complaint described a scenario where the plaintiffs’ browsers, upon visiting a website, sent direct requests to the defendants “in the ordinary course” of requesting advertising content at the direction of the visited website. Despite the plaintiffs’ claims that Google’s methods of obtaining this content were fraudulent or deceitful, the court noted that “just because a scenario sounds in fraud or deceit does not mean it sounds in wiretapping,” relying on prior cases dismissing wiretapping claims where a recipient of a telephone call imitated a third party. The plaintiffs also argued that the “intended recipient” exception is inapplicable where the interception is made “for the purpose of committing any criminal or tortious act” in violation of state or federal law, but the court noted that a secondary act, not the interception itself, must be criminal or tortious. As the plaintiffs had only pleaded criminal or tortious interception, not criminal or tortious use of the intercepted content, the court affirmed the dismissal of the Wiretap Act claim.
Turning to the Stored Communications Act, the court agreed with the Fifth, Ninth, and Eleventh Circuits that an end user’s home computer does not qualify as a “facility through which electronic communication service is provided,” as required under the SCA. The court also affirmed the dismissal of the plaintiffs’ CFAA claims, noting that the plaintiffs had not pleaded “damage or loss,” within the meaning of the statute, as a result of the defendants’ actions. The plaintiffs argued that the defendants’ unauthorized access to their personal information diminished its value, but the court noted that the complaint did not sufficiently allege that the plaintiffs ever intended to monetize their personal information, or that the defendants’ actions prevented them from doing so. Taken together, the Third Circuit’s affirmance of the District Court’s rulings on federal law issues supports important defenses for companies facing federal privacy law claims.
However, the Third Circuit rejected several of the District Court’s holdings on California constitutional and state law issues, vacating the dismissal of several claims and reviving a small portion of the plaintiffs’ complaint. Due to the similarity between the required elements, the court’s opinion addressed the claims for violations of the California constitution’s right to privacy and intrusion upon seclusion together. To demonstrate a violation of the right to privacy under the California constitution, a plaintiff must plead the existence of a legally protected privacy interest, reasonable expectations of privacy of the part of the plaintiff, and an intrusion that constitutes an “egregious breach of social norms.” An intrusion upon seclusion, on the other hand, requires an intentional intrusion that is “highly offensive to a reasonable person” into a place where the plaintiff has a reasonable expectation of privacy. The District Court had dismissed both claims, holding that the plaintiffs’ allegations did not rise to a “highly offensive” or “egregious” levels.
The state law portions of the Third Circuit’s opinion underscore the importance of ensuring that a company’s privacy policies and other public statements line up with actual practices. While an intrusion upon an individual’s privacy is not enough, in and of itself, to state a violation of California privacy law, an intrusion combined with inconsistent or deceptive public statements can lead to a different conclusion.